Monitoring of network traffic has a broad range of applications, from network re-design and provisioning to detection of malicious network attacks. Conventional network monitors allow some degree of flexibility in choosing what type of traffic is captured. For example, a user can specify that all packets to a particular link-level or network-level address are captured. However, once a particular capture configuration is selected, conventional network monitors require redeployment or reinstallation of the network monitor to change the capture configuration. Yet it is often difficult for a user to foresee in advance what type of traffic will be useful to him if captured. This forces the user to take a trial-and-error approach. First the user selects a particular configuration to capture traffic and analyzes the captured traffic. If the user determines from this analysis that another type of traffic would be useful to him but was not captured, the user reinstalls the network monitor with another capture configuration and tries again. Therefore, a need exists for these and other problems to be addressed.